The Main Loop

First the script retroactively installs packages that are probably missing on a normal Raspberry Pi, including ZMap [6] and SSHPass [7] (lines 133-134). ZMap is a network scanner optimized to scan the IPv4 address space for a specific port. A commercially available PC with a symmetrical 1Gbps Internet connection requires about 45 minutes for a complete scan. A 10Gbps connection with corresponding hardware (typically a Linux cluster) and an optimized TCP/IP stack (with PF_RING [8], a network socket for capturing packets) takes about five minutes [6].

In line 138, a random 100,000 IP addresses are scanned for port 22 availability. The average hit rate is just under 0.6 percent. In these two cases, zmap on two cores of a Raspberry Pi 3B (RPi3B) took about 23 seconds to call.

The propagation is carried out in lines 141 and 142. This code tries to copy the script with scp. When logging in, the script uses the default password raspberry or the password of the Linux.MulDrop.14 miner. If successful, the IP address is stored in the /opt/.r file. The malware then makes the copied file executable on the freshly hacked computer and starts it.

To set a password for SSH in a script, you need the sshpass wrapper, which spoofs an interactive password entry for SSH. Production use of SSHPass is risky: Automation with a certificate-based logon and an SSH key agent seems more appropriate.

Table 1 shows the total number of scanned IP addresses, the number of reachable SSH ports, and the number of successful logins with one of the two passwords. The run time of a loop pass depends on the network interface used. In both cases, the target was an RPi3B.

On the first RPi3B, the admins were able to determine the number of IP addresses found with SSH service, because a line in /var/log/syslog was added to each (also unsuccessful) login (Listing 3). The UserKnownHostsFile script redirects to /dev/null (Listing 1, lines 141 and 142), so this entry is visible for each of the two logins, because the file is always empty when read. The duplicates were removed when counting the IP addresses, thus determining the number of SSH servers found. No log entries existed for the second RPi3B.

If the attacker finds a normal SSH server during these login attempts, two unsuccessful logins occur, because only the first command up to the first && is executed (line 141). These duplicate login attempts from the same IP address within one second are a clear signature of this script.

The IRC Bot

Although considered old-fashioned, this script creates a backdoor for remote control of the hijacked Raspberry Pi via IRC. The remote control feature doesn't seem to work anymore because the IRC channel #biret is disabled.

This IRC script connects to a randomly selected IRC server from six options and sets its nickname to a value calculated from the output of uname -a. The communication in /tmp/bot.log is logged in line 123. The provider Undernet manages one of the largest ICQ networks [9] but has nothing to do with the malware.

Line 73 creates file descriptor 3 for writing and reading to the specified TCP socket (e.g., /dev/tcp/ix1.undernet.org/6667 if the first server is selected). Thus, it is very easy to script communication to a server with simple printf and read commands.

The script reacts to the IRC PING commands with a PONG (lines 93-101) and connects to the biret IRC channel (line 99). It also responds to private messages (PRIVMSG, lines 102-105) that contain Base64-encoded commands. The command is copied to privmsg_data, and a digital signature to privmsg_h.

The script then compares the MD5 checksum of the decoded command (hash) with the decrypted checksum from the signature (sign). The command only starts if the digital signature is OK (line 110). The result of the execution is returned with Base64 encoding.

Evaluating the Logfiles

If you evaluate the numerous Invalid user pi from … log entries, you can determine the total number of invalid attempts, as well as the number of duplicate login attempts from one IP address at an interval of less than one second (hereafter referred to as pairs), which is the signature of this script.

An initial evaluation of the logfiles from three computers partially used as honeypots in the time window from August 5 to September 4, 2018 (31 days) is shown in Table 2. Between 1.5 and 2.5 events per IP address and day indicate that the script is still busy scanning.

Next, I evaluated two different log datasets. The first collected all invalid SSH login attempts with username pi between April 13, 2013, and September 7, 2018, for a single server. The second record contained invalid SSH login attempts with username pi on the servers of a research institution from November 25, 2018, 3:27am, to November 27, 2018, 11:35am (i.e., for 56 hours and 8 minutes). All told, invalid logins on 188 different computers in this institution were attempted. The first setting had 4,156 entries (Figure 2), of which 1,025 were pairs. The first pair appeared on June 10, 2017, which meant that pairs appeared here in a time window of 455 days at an average of 2.2 per day.

Figure 2: Invalid login attempts by user pi.

The login attempts came from 799 different IP addresses. However, the three events with a strongly increased number of login attempts in July 2015, February 2016, and August 2016 can no longer be analyzed retrospectively because of a lack of data from this time.

Before April 2015, practically no invalid login attempts were made (fewer than 12 per year) with the pi account. Activity increased around June 2017. A closer look at this time window shows the first signatures of the pair script (Listing 4) from June 10, 2017.

The second setting experienced 2,022 entries in 56 hours, of which 660 were pairs, corresponding to 11.8 pairs per hour, 3.5 pairs per server, or 1.5 pairs per server per day. The login attempts came from 267 different IP addresses.